Your problem is not with SMS as a second factor though. (Unless you think the attacker had your password as well). It is with the use of SMS as a single recovery factor.
The very things that make SMS a uniquely good second factor make it an awful only factor. Use of SMS for account recovery should in general (or at least for important accounts) have a delay (order of days) that allows the real user to intervene.
See, that's the real problem though. If you can reset your password via SMS, then SMS isn't a second factor, it's a single factor. And it's a far less secure single factor than a strong and unique password!
FWIW I wouldn't regard SMS as a good 2nd authentication factor either, for the same reasons as this issue, it's too easy to get a carrier to transfer a number to an attacker.
Where it's used as a second factor, this still has an impact which is, if an attacker can get the password (and there's been enough breaches and keystroke logging for that to be common) they can then grab the number to get full control of the account.
TOTP or hardware tokens don't generally suffer from the same problem.
SMS is perfectly good as an additional authentication factor. i.e. When you log in on a new device using your user name and password, you also need to type in the text message code you were sent. It is a convenient way to strictly increase the security of an account.
What SMS is terrible for is as a single point of account recovery. This is unfortunately how it is often used. "Multi factor authentication" in practice has become "Use any one of multiple available factors for authentication", which is awful.
SMS as a second factor is not a net reduction in security. The ability to hijack a phone via number porting or similar could give access to SMS messages, but by definition a second factor should never reduce your security.
What does reduces security is the use of SMS as a password reset mechanism, or any similar method that uses SMS as the only factor for authentication. Don't do that.
While a password+SMS 2FA would be better than just password, the problem is that SMS often gets also turned into a single-factor password recovery mechanism; and SMS alone is worse security-wise than a decent password.
If someone can exploit your SMS, it's possible they can use that to social engineer their way into a password resets with services. (I forgot may password but I still have my phone.) So I would say a bad second factor can be strictly worse than no second factor.
And even if SMS starts off being just a second factor, it often gets changed to be used for account resets too, so it becomes a single vulnerable factor.
> As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still an "extra hurdle" that improves security over just a password
Perhaps, but often 2FA is leaned on to reduce the significance of the primary factor or shift liability.
> The problem comes when a site allows account resets over SMS because then they've just traded one single factor (a password) for another weaker one (SMS).
Yeah, exactly — that would be one way some "2FA" systems weaken the primary factor.
I think having SMS codes as a second factor is better than nothing at all. Changes the risk profile significantly. Anybody can try bruteforce your password, but a smaller group of people have the ability to intercept your SMS messages.
SMS as a second factor is not bad - it has problems, but those shouldn't make the security worse than no second factor and strictly higher in most situations. The problem is that giving a company your number risks them letting an impostor use it as the only factor or in combination with useless "secrets" like publicly available personal data. This has happened often enough that you have to assume adding a phone number to your account makes it less secure.
SMS as an account recovery mechanism is the problem.
reply